Talk:Downgrading with Hardware flasher: Difference between revisions

From PS3 Developer wiki
Jump to navigation Jump to search
m (Dark Mode)
 
(19 intermediate revisions by 3 users not shown)
Line 1: Line 1:
==Quick 'n Dirty prepatched==
==Quick 'n Dirty prepatched==
http://www.ps3devwiki.com/files/firmware/MFW-CEX/Downgrader/
* http://www.psdevwiki.com/files/firmware/MFW-CEX/Downgrader/315-downgrader.pup (163.88 MB)  (MD5:954C3618BDEC277A546739CDB971C957 | SHA1:C074BD80F9F9AD13773163B69C0008528E6C2E6A | CRC16:C0FD | CRC32:75A740C5)
* http://www.psdevwiki.com/files/firmware/MFW-CEX/Downgrader/341-downgrader.pup (167.1 MB) [http://www.mirrorcreator.com/files/1OEUY3WR/341-downgrader.pup_links mirror]
(MD5:533C668CDB8864442991310481BCF64A | SHA1:C7AA2637BA69C675C2F13C214888D0C42EE4CDAF | CRC16:881B | CRC32:0634A651)


* [http://www.multiupload.com/9IATGOGMR1 315-downgrader.pup (163.88 MB)]
* http://www.psdevwiki.com/files/firmware/MFW-CEX/Downgrader/355-downgrader.pup (170.62 MB)
* [http://www.multiupload.com/YZ77XKXMFT 341-downgrader.pup (167.1 MB)]
(MD5:8415159C72CA4050DF8B940874C52921 | SHA1:703368087CE5BF17319676CE6166CE8CCF5877C4 | CRC16:BD6B | CRC32:549F0348)
* [http://www.multiupload.com/0MPIZN8B3L 355-downgrader.pup (170.62 MB)]


*PS3MFW Features Enabled
** Change PUP build / version
** Patch LV1 (downgrader) checks
** Patch LV1 hypervisor:  Allow mapping of any memory area (Needed for LV2 Poke)
** Patch LV2 kernel: Patch to add Peek&Poke system calls to LV2
** Patch package installer: Patch to allow installation of pseudo-retail packages + debug packages
** Patch Application launcher: Patch to allow running of unsigned applications
** Add new icons to the XMB Game category: Add Install Package Files + app_home + icons to the XMB Game Category


== Quick syscon rehashing ==
::PS3MFW Features Enabled
Goal: To be able to install unpatched firmwares on consoles that where previously on 3.56+
::* Change PUP build / version
::* Patch LV1 (downgrader) checks
::* Patch LV1 hypervisor:  Allow mapping of any memory area (Needed for LV2 Poke)
::* Patch LV2 kernel: Patch to add Peek&Poke system calls to LV2
::* Patch package installer: Patch to allow installation of pseudo-retail packages + debug packages
::* Patch Application launcher: Patch to allow running of unsigned applications
::* Add new icons to the XMB Game category: Add Install Package Files + app_home + icons to the XMB Game Category


=== The FSM dance ===
== 3.41 NAND Preloaderdumps downgrader patches ==
NOR only, for now! Don't use directly as is on NAND, because offsets will differ!
Use these NAND patches only on dumps made with NAND Preloader, not regular NAND dumps and not on NOR!
 
=== Patch files used ===
Depending on which step, will be used in one or both ROS areas:
* [http://www.multiupload.com/LDVW5O233F ROS-empty.bin (7 MB)]
* [http://www.multiupload.com/X69SN5258J ROS-filled.bin (7 MB)]
This will be the same for all steps:
* [http://www.multiupload.com/DYBWAJOGQK RVK-0x40000.bin (512 KB)]
 
After each step of patching, enter Factory Service Mode and reinstall nonpatched firmware (e.g. OFW)
 
==== Step1 ====
{|class="wikitable"
{|class="wikitable"
|-
|-
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
! Target area !! Patchfile !! NAND Offset !! Paste length !! Remarks
|-
| ROS0 || coreos_341_lv1_integryty_fix.bin patch1 (7 MB) || 0x080030 || 0x6FFFE0 || CoreOS (prepatched 3.41)
|-
|-
| ROS0 || [http://www.multiupload.com/LDVW5O233F ROS-empty.bin (7 MB)] || 0x0C0000 || 0x6FFFE0 ||  
| ROS1 || coreos_341_lv1_integryty_fix.bin patch1 (7 MB) || 0x780020 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
|-
| ROS1 || [http://www.multiupload.com/LDVW5O233F ROS-empty.bin (7 MB)] || 0x7C0000 || 0x6FFFE0 ||  
| trvk_prg0&nbsp;(0x051800)<br />trvk_prg1&nbsp;(0x052800) || trvk_prg&nbsp;(8&nbsp;KB) || 0x051800 || 0x2000 || double patch overlapping both program revoke area's
|-
|-
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.multiupload.com/DYBWAJOGQK RVK-0x40000.bin (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
| trvk_pkg0&nbsp;(0x053800)<br />trvk_pkg1&nbsp;(0x054800) || trvk_pkg&nbsp;(8&nbsp;KB) || 0x053800 || 0x2000 || double patch overlapping both package revoke area's
|-
|-
|}
|}
==== Step2 ====
(above patches in a single package + autopatcher file: [http://www.mirrorcreator.com/files/GPTTMIPY/3.41_NAND_Preloaderdumps_downgrader_patches.rar_links 3.41_NAND_Preloaderdumps_downgrader_patches.rar])
 
== 3.41 NOR downgrader patches ==
Use [http://www.psdevwiki.com/files/flash/patches/341-NOR%20downgrade/ 3.41-NOR patches] only on NOR consoles, not on NAND!
{|class="wikitable"
{|class="wikitable"
|-
|-
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
|-
|-
| ROS0 || [http://www.multiupload.com/X69SN5258J ROS-filled.bin (7 MB)] || 0x0C0000 || 0x6FFFE0 ||  
| ROS0 || [http://www.psdevwiki.com/files/flash/patches/341-NOR%20downgrade/patch1 patch1 (7 MB)] || 0x0C0010 || 0x6FFFE0 || CoreOS (prepatched 3.55)
|-
|-
| ROS1 || [http://www.multiupload.com/LDVW5O233F ROS-empty.bin (7 MB)] || 0x7C0000 || 0x6FFFE0 ||  
| ROS1 || [http://www.psdevwiki.com/files/flash/patches/341-NOR%20downgrade/patch1 patch1 (7 MB)] || 0x7C0010 || 0x6FFFE0 || CoreOS (SAME as ros0)
|-
|-
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.multiupload.com/DYBWAJOGQK RVK-0x40000.bin (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.psdevwiki.com/files/flash/patches/341-NOR%20downgrade/rvk-040000 rvk-040000 (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
|-
|-
|}
|}
==== Step3 ====
(above patches in a single package + autopatcher file: [http://www.psdevwiki.com/files/flash/patches/341-NOR%20downgrade.rar 341-NOR downgrade.rar] [http://www.mirrorcreator.com/files/QAO9LNID/341-NOR_downgrade.rar_links mirror])
{|class="wikitable"
 
=== E3 Flasher ===
Use these instead (already reversed), otherwise you get into a maze of bytereversing: [http://www.psdevwiki.com/files/flash/patches/341-E3%20downgrade.rar 341-E3 downgrade.rar]
 
== PS3 Nor and Nand Auto Patcher by Rogero ==
=== Source ===
{{Boxcode|code=<syntaxhighlight lang="cpp">
///////////////////////////////////////////////////////////////////////////
// PS3 Nor and Nand Auto Patcher v0.05        by Rogero    25/Mar/2013 //
///////////////////////////////////////////////////////////////////////////
 
 
    #include <iostream>
    #include <fstream>
    //#include <string>
    #include <direct.h>
    #include "ConsoleColor.h"
 
using namespace std;
 
void Patch(char*, char*, char*, int, int);
 
int main(int argc, char * argv[])
    {
    cout<<green<<"-----------------------------------------------------------------------"<<endl;
        cout<<"    PS3 Flash Auto Patcher v4.55              by Rogero  15/Feb/2014"<<endl<<endl;
        cout<<"    ( Patch NOR and NAND Dumps with CFW4.55 patches / No FSM needed )"<<endl;
cout<<"-----------------------------------------------------------------------"<<endl<<endl;
 
 
if(argc < 2){
 
  cout <<white<< endl << "Copy your PS3's Flash Dump into the program's folder,\n\n";
  cout << "Then Drag and Drop your Dump File onto the exe to apply the Downgrade Patches.\n";
      cout <<yellow<< endl << endl << endl << "Press any key to exit.";
  cin.get();
      return 0;
  }
 
 
 
    cout <<yellow<< "Processing the file: " <<white<< endl << argv[1] << "\n\n\n";
 
        //WinXP current directory / Files Path Fix /////////////////////////////////
        string path = argv[0];
        //remove the executable file name from the full path to get current working directory
        path.erase(path.rfind("\\")+1, std::string::npos);
 
        //Change to Current working directory
        _chdir(path.c_str());
        ////////////////////////////////////////////////////////////////////////////
 
 
FILE *ifile;
unsigned char *buf = NULL;
buf = (unsigned char *) malloc(1);
int type = 0; // 0 = NOR , 1 = NOR ByteReversed , 2 = Nand Interleaved , 3 = Unknown , 4 = NOR metldr 2
ifile = fopen( (char*) argv[1], "rb+");
 
// Detect Dump type
/////////////////////////////////////////////////////////////////////
if (ifile != NULL) {
fseek(ifile, 0x40220, SEEK_SET);  // read byte at 0x40220
fread( buf, 1, 1, ifile);
 
//printf("%02X",(int)buf[0]);
if (("%02X",(int)buf[0]) == 0x61) // Nand
{
fseek(ifile, 0x40228, SEEK_SET);
fread( buf, 1, 1, ifile);
if (("%02X",(int)buf[0]) == 0x6C) // double check if Nand
    type = 2;  // Nand
else
type = 3;  // Unknown
}
else
{
if (("%02X",(int)buf[0]) == 0x00) // Nor
{
fseek(ifile, 0x420, SEEK_SET);
fread( buf, 1, 1, ifile);
if (("%02X",(int)buf[0]) == 0x73) // check if ByteReversed
    {
fseek(ifile, 0x826, SEEK_SET);
fread( buf, 1, 1, ifile);
if (("%02X",(int)buf[0]) == 0x32) // check if metldr 2
type = 4;  // Nor with metldr 2
else
type = 1;  // Nor ByteReversed
}
else
{
if (("%02X",(int)buf[0]) == 0x61) // check if Normal
    {
fseek(ifile, 0x827, SEEK_SET);
fread( buf, 1, 1, ifile);
if (("%02X",(int)buf[0]) == 0x32) // check if metldr 2
type = 4;  // Nor with metldr 2
else
type = 0;  // Nor Normal
}
else
type = 3;  // Unknown
}
}
else
type = 3;  // Unknown
}
}
/////////////////////////////////////////////////////////////////////
 
cout <<yellow<< "Opening Files...\n\n";
 
 
if (type == 0) // Normal dump = Progskeet
{
cout << "********************************************************\n";
cout << "* This is a Normal NOR Dump (Progskeet/Winskeet style) *\n";
cout << "********************************************************\n\n"<<white;
 
Patch(argv[1], "Data/patch1n.bin", "Temp_1.bin", 786448, 1);
Patch("Temp_1.bin", "Data/patch1n.bin", "NOR_patched.bin", 8126480, 2);
 
//Patch("bkpps3_Temp_2.bin", "Data/patch2n.bin", "bkpps3_patched.bin", 262144, 3);
}
 
if (type == 1) // Byte-swapped dump = E3
{
cout << "*******************************************************\n";
cout << "* This is a byte-reversed NOR Dump (E3 Flasher style) *\n";
cout << "*******************************************************\n\n"<<white;
 
Patch(argv[1], "Data/patch1r.bin", "Temp_1.bin", 786448, 1);
Patch("Temp_1.bin", "Data/patch1r.bin", "bkpps3_NOR_patched.bin", 8126480, 2);
//Patch("bkpps3_Temp_2.bin", "Data/patch2.bin", "bkpps3_patched.bin", 262144, 3);
}
 
if (type == 0 || type == 1)
{
cout <<yellow<< "Deleting Temp Files....\n";
remove("Temp_1.bin");
//remove("bkpps3_Temp_2.bin");
cout << "Done.\n";
cout << green << endl << endl << "Your NOR Dump was successfully patched and is ready to be flashed.";
cout << yellow <<endl << endl << endl << "Press any key to exit.";
cin.get();
return(0);
}
 
if (type == 2) // Nand
{
cout << "*******************************************************\n";
cout << "* This is an Interleaved NAND Dump (by FlowRebuilder) *\n";
cout << "*******************************************************\n\n"<<white;
 
Patch(argv[1], "Data/patch1n.bin", "Temp_1.bin", 786480, 1);
Patch("Temp_1.bin", "Data/patch1n.bin", "NAND_patched.bin", 8126496, 2);
//Patch("bkpps3_Temp_2.bin", "Data/patch2.bin", "bkpps3_patched.bin", 262144, 3);
 
cout <<yellow<< "Deleting Temp Files....\n";
remove("Temp_1.bin");
//remove("bkpps3_Temp_2.bin");
cout << "Done.\n";
cout << green << endl << endl << "Your NAND Dump was successfully patched and is ready to be re-scrambled"<<endl<<"then de-interleaved into 2 flashes using latest version of FlowRebuilder.";
cout << yellow <<endl << endl << endl << "Press any key to exit.";
cin.get();
return(0);
}
 
if (type == 3) // Unknown
{
cout <<red<< "********************************************************\n";
cout << "* This is an Unknown Flash Type or a Bad File Detected *\n";
cout << "********************************************************\n\n\n"<<white;
 
cout << "The Program will exit now, check your Flash Dump then try again...";
cout << yellow <<endl << endl << endl << "Press any key to exit.";
cin.get();
return(0);
}
 
if (type == 4) // Metldr 2
{
cout <<red<< "***********************************************************************\n";
cout << "* This is a NOR Dump with a Non-Downgradable Metldr revision Detected *\n";
cout << "***********************************************************************\n\n\n"<<white;
 
cout << "The Program will exit now...";
cout << yellow <<endl << endl << endl << "Press any key to exit.";
cin.get();
return(0);
}
 
    } // end main
    //////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
void Patch(char* input, char* patch, char* output, int offset, int no)
    {
    ifstream inmain(input,ios::in|ios::binary);
ifstream inpatch(patch,ios::in|ios::binary);
    ofstream patched(output,ios::out|ios::binary);
 
if ( inmain.is_open() )
  {
if (inpatch.is_open())
{
 
if (patched.is_open())
{
 
cout << "Applying Patch Number "<<no<<"...\n";
 
int patchStartOffset = offset ;
    char ioChar;
    for (int i = 0; i < patchStartOffset; i++)
    {
    inmain.get(ioChar);
    patched.put(ioChar);
    }
 
int patchLen = 0;
while (inpatch.get(ioChar))
    {
patched.put(ioChar);
    patchLen++;
}
 
    streampos mainPos = inmain.tellg();
    mainPos += patchLen;
    inmain.seekg(mainPos);
    while (inmain.get(ioChar))
    {
    patched.put(ioChar);
    }
 
patched.close();
inpatch.close();
inmain.close();
}
else
  {
    cout << "Error opening output file !!\n\n";
cout << "Please make sure you have enough free space to run the program...\n\n\n\n";
cout << "Press any key to exit.";
cin.get();
exit(0);
}
}
else
  {
    cout << "Error opening patch file !!\n\n";
cout << "Please make sure to place the Nor Dump inside the Program's folder\n";
cout << "before you Drag and Drop.\n\n\n\n";
cout << "Press any key to exit.";
cin.get();
exit(0);
}
}
else
  {
    cout << "Error opening input file\n";
cout << "Press any key to exit.";
cin.get();
exit(0);
}
}
</syntaxhighlight>}}
 
== Venix Autopatcher ==
=== Warning ===
{| border="1" cellspacing="0" cellpadding="5" border="#999" class="wikitable" style="border:1px solid #999; border-collapse: collapse;"  
|-
|-
! Target area !! Patchfile !! NOR Offset !! Paste length !! Remarks
! style="background-color:red!important;" | <span style="background-color:lightred; color:white; font-size:200%; ">Warning</span>
|-
|-
| ROS0 || [http://www.multiupload.com/LDVW5O233F ROS-empty.bin (7 MB)] || 0x0C0000 || 0x6FFFE0 ||
| <span style="white; color:red!important; font-size:150%; text-align:center; ">This tool is known and proven to give false positives on bad dumps that lead to permabricks.  
|-
 
| ROS1 || [http://www.multiupload.com/X69SN5258J ROS-filled.bin (7 MB)] || 0x7C0000 || 0x6FFFE0 ||
Use this method: [[Validating flash dumps]] to make sure the dumps are in crisp condition.
|-
 
| trvk_prg0 (0x40000) <br />trvk_prg1 (0x60000)<br />trvk_pkg0 (0x80000) <br />trvk_pkg1 (0xA0000) || [http://www.multiupload.com/DYBWAJOGQK RVK-0x40000.bin (512 KB)] || 0x40000 || 0x80000 || one big patch<br />overlapping several revoke area's
You cannot recover from bad flash without proper dumps (e.g. bricking the console beyond repair).<br />
''<small>note: there are  12½ million bits to permabrick a console</small>''</span>
|-
|-
|}
|}
=== Intro ===
Some portuguese dude (somehow venix name reminds me of a fake bricker CFW and highly hyped and never released manager long time ago) apparently never found wiki guides or used flowrebuilder/winskeet autopatcher or hexeditor with autopatch scripts.
=== Versions ===
Venix Downgrade GUI v1.0.0.0\Venix Downgrade.exe
  SHA1:BED08FC1FEF623C08E84832DAB0DF428D3143BF5 | MD5:1215174ED33E599B7F23F345B01B6EF9 | CRC32:3339B7F8 | CRC16:3F31
  &nbsp;
Venix Downgrade GUI v1.0.0.1\Venix Downgrade.exe
  SHA1:06689D0ACB9072EE0D6BA6B9C7665A4C375F583A | MD5:F7FE9D028DC2DF6DD281E0AA90653DC4 | CRC32:0903470A | CRC16:013F
=== Tests ===
Time for some tests, like I did with [[E3#E3_Nor_dump_checker|E3 Nor dump checker]].
==== Quick bulletproof test ====
does not test:
* bad region - <span style="white; color:red!important;">not detected</span>, user not warned -> result = <span style="white; color:red!important;">brick file</span>
* bad A9 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A10 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A11 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A12 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A13 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A14 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A15 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A16 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A17 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A18 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A19 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A20 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A21 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A22 wire - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad boardID - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad bootldr - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad cCSD unreferenced area - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad cISD unreferenced area - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad EID unreferenced area - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header asecure loader - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header cISD - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header cvtrm - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header eEID - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header metldr - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad metldr - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing bootldr - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing cCSD - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing cISD0 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing cISD1 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing cISD2 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing EID0 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing EID1 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing EID2 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing EID3 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing EID4 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing EID5 - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing metldr - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad/missing PerConsoleNonce - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad patterned non 00's - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad patterned non FF's - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
* bad region - <span style="white; color:red!important;">not detected</span>, patch file created -> result = <span style="white; color:red!important;">brick file</span>
partly test (if user flashes that, it will permabrick):
* bad A0 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A1 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A2 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A3 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A4 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A5 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A6 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A7 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad A8 wire - detected, 00 filled file created -> result = <span style="white; color:red!important;">brick file</span>
* bad header IFI - detected, patch file created -> result = <span style="white; color:red!important;">brick file</span>
does test:
* circulair reference - errors out: "The process cannot access the file '\nor-validationtest\venix.bin' because it is being used by another process." -> result = OK
==== Conclusion ====
Conclusion : '''<span style="white; color:red!important;">USELESS</span>''', brickdumps will still show as 'valid' and corrupt patch files will be generated, not preventing the user from permabricking. <br />
==== Recomendation ====
'''<span style="white; color:red!important;">Recommendation: [[Validating flash dumps|Validate flash dumps]] first and use [http://www.psdevwiki.com/files/flash/Tools/Flowrebuilder/ Flowrebuilder] or [http://www.psdevwiki.com/files/flash/Tools/Progskeet/Winskeet/ Winskeet] with [http://www.psdevwiki.com/files/flash/patches/ autopatcher] instead.'''
=== Newssites that news'ed the 'tool' ===
* <span style="text-decoration: line-through;">http://www.ps3crunch.net/forum/threads/3162-Venix-Downgrade-GUI-released-for-Playstation-3</span> (removed it later)
* http://psx-scene.com/forums/content/venix-downgrade-gui-automated-downgrader-validator-2118 (added warning "USE WITH CAUTION!!!! Read the posts below first!!!!")
* http://www.ps3news.com/ps3-cfw-mfw/venix-downgrade-ps3-4-11-to-3-55-patch-gui-is-released/
=== Newssite that refused to news it ===
* http://www.ps3hax.net/2012/04/warning-venix-autopatcher-is-a-dangerous-tool-do-not-use-it/ (they had read above warning on wiki and decided it was best for their users not to frontpage it)
=== Patches contained inside binairy ===
==== trvk_prg ====
===== 1 =====
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00701BB0                                  00 00 00 00 00            .....
00701BC0  00 00 00 00 00 00 00 00 00 02 E0 53 43 45 00 00  ..........àSCE..
00701BD0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00701BE0  00 02 00 00 00 00 00 00 00 00 E0 11 07 9A A0 E5  ..........à..š å
00701BF0  A2 D4 48 DE 06 9C E7 E3 74 A8 67 33 E5 95 F4 56  ¢ÔHÞ.œçãt¨g3å•ôV
00701C00  F4 DC E3 9B 64 56 A1 0C 11 98 79                ôÜã›dV¡..˜y
...
===== 2 =====
(same as 1)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00702BA0                                  00 00 00 00 00            .....
00702BB0  00 00 00 00 00 00 00 00 00 02 E0 53 43 45 00 00  ..........àSCE..
00702BC0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00702BD0  00 02 00 00 00 00 00 00 00 00 E0 11 07 9A A0 E5  ..........à..š å
00702BE0  A2 D4 48 DE 06 9C E7 E3 74 A8 67 33 E5 95 F4 56  ¢ÔHÞ.œçãt¨g3å•ôV
00702BF0  F4 DC E3 9B 64 56 A1 0C 11 98 79                ôÜã›dV¡..˜y
...
===== 3 =====
(same as 1)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01545B90                                            00 00                ..
01545BA0  00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 53  ..............àS
01545BB0  43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 00  CE..............
01545BC0  00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 11  ..............à.
01545BD0  07 9A A0 E5 A2 D4 48 DE 06 9C E7 E3 74 A8 67 33  .š å¢ÔHÞ.œçãt¨g3
01545BE0  E5 95 F4 56 F4 DC E3 9B 64 56 A1 0C 11 98 79    å•ôVôÜã›dV¡..˜y
...
==== trvk_pkg ====
===== 4 =====
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00703BB0                                  00 00 00 00 00            .....
00703BC0  00 00 00 00 00 00 00 00 00 02 60 53 43 45 00 00  ..........`SCE..
00703BD0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00703BE0  00 02 00 00 00 00 00 00 00 00 60 BD 25 0F C3 46  ..........`½%.ÃF
00703BF0  1C ED 7C A9 0D 0B 63 31 C5 10 FD 5C A0 CA 58 D3  .í|©..c1Å.ý\ ÊXÓ
00703C00  F1 A9 DB B7 03 C5 94 66 83 C1 96                ñ©Û·.Å”fƒÁ–
...
===== 5 =====
(same as 1)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01505B80                00 00 00 00 00 00 00 00 00 00 00      ...........
01505B90  00 00 00 02 60 53 43 45 00 00 00 00 02 00 00 00  ....`SCE........
01505BA0  02 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00  ................
01505BB0  00 00 00 00 60 BD 25 0F C3 46 1C ED 7C A9 0D 0B  ....`½%.ÃF.í|©..
01505BC0  63 31 C5 10 FD 5C A0 CA 58 D3 F1 A9 DB B7 03 C5  c1Å.ý\ ÊXÓñ©Û·.Å
01505BD0  94 66 83 C1 96                                  ”fƒÁ–
...
===== 6 =====
(same as 4)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01525B90        00 00 00 00 00 00 00 00 00 00 00 00 00 00    ..............
01525BA0  02 60 53 43 45 00 00 00 00 02 00 00 00 02 00 00  .`SCE...........
01525BB0  00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
01525BC0  00 60 BD 25 0F C3 46 1C ED 7C A9 0D 0B 63 31 C5  .`½%.ÃF.í|©..c1Å
01525BD0  10 FD 5C A0 CA 58 D3 F1 A9 DB B7 03 C5 94 66 83  .ý\ ÊXÓñ©Û·.Å”fƒ
01525BE0  C1 96                                            Á–
...
==== ros ====
===== 7 =====
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001BA0                    00 00 00 01 00 00 00 18 00 00        ..........
00001BB0  00 00 00 6F FF E0 00 00 00 00 00 00 04 90 00 00  ...oÿà..........
00001BC0  00 00 00 00 42 98 61 69 6D 5F 73 70 75 5F 6D 6F  ....B˜aim_spu_mo
00001BD0  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......
00001BE0  00 00 00 00 00 00 00 00 00 00 00 00 47 30 00 00  ............G0..
00001BF0  00 00 00 01 F6 D8 61 70 70 6C 64 72 00 00 00 00  ....öØappldr....
00001C00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
===== 8 =====
(same as 7)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00705BA0                                  00 00 00 01 00            .....
00705BB0  00 00 18 00 00 00 00 00 6F FF E0 00 00 00 00 00  ........oÿà.....
00705BC0  00 04 90 00 00 00 00 00 00 42 98 61 69 6D 5F 73  .........B˜aim_s
00705BD0  70 75 5F 6D 6F 64 75 6C 65 2E 73 65 6C 66 00 00  pu_module.self..
00705BE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00705BF0  00 47 30 00 00 00 00 00 01 F6 D8 61 70 70 6C 64  .G0......öØappld
00705C00  72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  r...............
===== 9 =====
(same as 7)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00E05B90                          00 00 00 01 00 00 00 18          ........
00E05BA0  00 00 00 00 00 6F FF E0 00 00 00 00 00 00 04 90  .....oÿà........
00E05BB0  00 00 00 00 00 00 42 98 61 69 6D 5F 73 70 75 5F  ......B˜aim_spu_
00E05BC0  6D 6F 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00  module.self.....
00E05BD0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 30  ..............G0
00E05BE0  00 00 00 00 00 01 F6 D8 61 70 70 6C 64 72 00 00  ......öØappldr..
00E05BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
==== Note ====
wiki v2 downgrader contains 2 patchsets, used on 3 offsets. Having 9 sounds like a bit of overkill to bloat the binairy.
=== Checks ===
There is not much checked in the patcher:
- only size is checked
- and header "oÿà" (bytereversed, like with progskeet, teensy etc) versus "àÿo" (as E3).
==== 10 ====
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001A30  0A 4E 00 61 00 6E 00 64 00 31 00 00 00 00 00 18  .N.a.n.d.1......
00001A40  4E 00 61 00 6E 00 64 00 31 00 52 00 65 00 70 00  N.a.n.d.1.R.e.p.
00001A50  65 00 61 00 74 00 31 00 E5 FF 6F 00 14 4E 00 61  e.a.t.1.åÿo..N.a
00001A60  00 6E 00 64 00 31 00 53 00 74 00 61 00 72 00 74  .n.d.1.S.t.a.r.t
00001A70  00 ED FF 6F 00 0A 4E 00 61 00 6E 00 64 00 32 00  .íÿo..N.a.n.d.2.
00001A80  F5 FF 6F 00 14 4E 00 61 00 6E 00 64 00 32 00 53  õÿo..N.a.n.d.2.S
00001A90  00 74 00 61 00 72 00 74 00 FA 3F 70 00 12 4E 00  .t.a.r.t.ú?p..N.
00001AA0  61 00 6E 00 64 00 43 00 6F 00 75 00 6E 00 74 00  a.n.d.C.o.u.n.t.
00001AB0  02 40 70 00 08 4E 00 6F 00 72 00 31 00 05 40 70  [email protected]..@p
00001AC0  00 12 4E 00 6F 00 72 00 31 00 53 00 74 00 61 00  ..N.o.r.1.S.t.a.
00001AD0  72 00 74 00 EA 3F E0 00 08 4E 00 6F 00 72 00 32  r.t.ê?à..N.o.r.2
00001AE0  00 F2 3F E0 00 12 4E 00 6F 00 72 00 32 00 53 00  .ò?à..N.o.r.2.S.
00001AF0  74 00 61 00 72 00 74 00 D7 3F 50 01 08 4E 00 6F  t.a.r.t.×?P..N.o
00001B00  00 72 00 33 00 DF 3F 50 01 12 4E 00 6F 00 72 00  .r.3.ß?P..N.o.r.
00001B10  33 00 53 00 74 00 61 00 72 00 74 00 E4 3F 52 01  3.S.t.a.r.t.ä?R.
00001B20  08 4E 00 6F 00 72 00 34 00 EC 3F 52 01 12 4E 00  .N.o.r.4.ì?R..N.
00001B30  6F 00 72 00 34 00 53 00 74 00 61 00 72 00 74 00  o.r.4.S.t.a.r.t.
00001B40  F1 3F 54 01 08 4E 00 6F 00 72 00 35 00 F9 3F 54  ñ?T..N.o.r.5.ù?T
00001B50  01 12 4E 00 6F 00 72 00 35 00 53 00 74 00 61 00  ..N.o.r.5.S.t.a.
00001B60  72 00 74 00 FE 3F 56 01 08 4E 00 6F 00 72 00 36  r.t.þ?V..N.o.r.6
00001B70  00 06 40 56 01 12 4E 00 6F 00 72 00 36 00 53 00  [email protected].
00001B80  74 00 61 00 72 00 74 00 0B 40 58 01 10 4E 00 6F  [email protected]
00001B90  00 72 00 43 00 6F 00 75 00 6E 00 74 00 13 40 58  .r.C.o.u.n.t..@X
00001BA0  01 20 E0 FF 6F 00 00 00 00 01 00 00 00 18 00 00  . àÿo...........
00001BB0  00 00 00 6F FF E0 00 00 00 00 00 00 04 90 00 00  ...oÿà..........
Thus it fails miserably in the comparison of [[Validating_flash_dumps#Flowrebuilder|Flowrebuilder']] options like un/rescramble + de-/interleave, bytereverse, unpacking and autopatching, while checking and informing the user about possible errors in the dump.


Redump flash after last reinstall of firmware in service mode to check if both ROS areas are occupied.
=== Venix Downgrade GUI v1.2 BETA ===
http://psx-scene.com/forums/content/venix-downgrade-gui-v1-2-beta-improved-validation-2135/


=== Alternative QA way ===
==== Quick bulletproof test ====
# Patch as normal downgrader (ROS 0/1 + RVK prg/pkg) on mainpage
<span style="white; color:red!important;">wrongly detected:</span>
# install prepatched firmware in service mode
* bad A0 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
# enable QA-extra and install unpatched firmware in recovery mode.
* bad A1 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A2 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A3 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A4 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A5 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A6 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A7 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A8 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A9 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A10 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A11 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A12 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A13 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A14 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A15 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A16 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A17 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A18 wire -> <span style="white; color:red!important;">Validation Failedff byte count</span>
* bad A19 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A20 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A21 wire -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad A22 wire -> <span style="white; color:red!important;">Validation Failedff byte count</span>
* bad bootldr -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad bootldr -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad cCSD unreferenced area -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad cISD unreferenced area -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad EID unreferenced area -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad header -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad header asecure loader -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad header cISD -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad header cvtrm -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad header eEID -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad IFI -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad header trvk -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad metldr -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing bootldr -> <span style="white; color:red!important;">Validation Failedff byte count</span>
* bad/missing cCSD -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing cISD0 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing cISD1 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing cISD2 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing EID0 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing EID1 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing EID2 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing EID3 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing EID4 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing EID5 -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing metldr -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad/missing PerConsoleNonce -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad patterned non 00's -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad patterned non FF's -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad region -> <span style="white; color:red!important;">Validation Failed00 byte count</span>
* bad filelength -> <span style="white; color:red!important;">application hangs</span>
* known good reference dumps (184) -> <span style="white; color:red!important;">'''Validation Failed00 byte count'''</span>


=== Alternative shorter reFSM way ===
==== Conclusion ====
# Patch as normal downgrader (ROS 0/1 + RVK prg/pkg) on mainpage
<span style="white; color:red!important;">'''USELESS'''</span>, 100% valid files will be failing 00/ff check. Improper files will be failing 00/ff check too, and no detection of the root of the cause. Nothing was patched and gives the user a permanent false sense of having bad dumps without leads of what to solve.
# install prepatched firmware in service mode
# install unpatched firmware in service mode

Latest revision as of 03:43, 1 July 2023

Quick 'n Dirty prepatched[edit source]

(MD5:533C668CDB8864442991310481BCF64A | SHA1:C7AA2637BA69C675C2F13C214888D0C42EE4CDAF | CRC16:881B | CRC32:0634A651)

(MD5:8415159C72CA4050DF8B940874C52921 | SHA1:703368087CE5BF17319676CE6166CE8CCF5877C4 | CRC16:BD6B | CRC32:549F0348)


PS3MFW Features Enabled
  • Change PUP build / version
  • Patch LV1 (downgrader) checks
  • Patch LV1 hypervisor: Allow mapping of any memory area (Needed for LV2 Poke)
  • Patch LV2 kernel: Patch to add Peek&Poke system calls to LV2
  • Patch package installer: Patch to allow installation of pseudo-retail packages + debug packages
  • Patch Application launcher: Patch to allow running of unsigned applications
  • Add new icons to the XMB Game category: Add Install Package Files + app_home + icons to the XMB Game Category

3.41 NAND Preloaderdumps downgrader patches[edit source]

Use these NAND patches only on dumps made with NAND Preloader, not regular NAND dumps and not on NOR!

Target area Patchfile NAND Offset Paste length Remarks
ROS0 coreos_341_lv1_integryty_fix.bin patch1 (7 MB) 0x080030 0x6FFFE0 CoreOS (prepatched 3.41)
ROS1 coreos_341_lv1_integryty_fix.bin patch1 (7 MB) 0x780020 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x051800)
trvk_prg1 (0x052800)
trvk_prg (8 KB) 0x051800 0x2000 double patch overlapping both program revoke area's
trvk_pkg0 (0x053800)
trvk_pkg1 (0x054800)
trvk_pkg (8 KB) 0x053800 0x2000 double patch overlapping both package revoke area's

(above patches in a single package + autopatcher file: 3.41_NAND_Preloaderdumps_downgrader_patches.rar)

3.41 NOR downgrader patches[edit source]

Use 3.41-NOR patches only on NOR consoles, not on NAND!

Target area Patchfile NOR Offset Paste length Remarks
ROS0 patch1 (7 MB) 0x0C0010 0x6FFFE0 CoreOS (prepatched 3.55)
ROS1 patch1 (7 MB) 0x7C0010 0x6FFFE0 CoreOS (SAME as ros0)
trvk_prg0 (0x40000)
trvk_prg1 (0x60000)
trvk_pkg0 (0x80000)
trvk_pkg1 (0xA0000)
rvk-040000 (512 KB) 0x40000 0x80000 one big patch
overlapping several revoke area's

(above patches in a single package + autopatcher file: 341-NOR downgrade.rar mirror)

E3 Flasher[edit source]

Use these instead (already reversed), otherwise you get into a maze of bytereversing: 341-E3 downgrade.rar

PS3 Nor and Nand Auto Patcher by Rogero[edit source]

Source[edit source]

///////////////////////////////////////////////////////////////////////////
// PS3 Nor and Nand Auto Patcher v0.05         by Rogero    25/Mar/2013 //
///////////////////////////////////////////////////////////////////////////


    #include <iostream>
    #include <fstream>
    //#include <string>
    #include <direct.h>
    #include "ConsoleColor.h"

	using namespace std;

	void Patch(char*, char*, char*, int, int);

	int main(int argc, char * argv[])
    {
    	cout<<green<<"-----------------------------------------------------------------------"<<endl;
        cout<<"    PS3 Flash Auto Patcher v4.55              by Rogero   15/Feb/2014"<<endl<<endl;
        cout<<"    ( Patch NOR and NAND Dumps with CFW4.55 patches / No FSM needed )"<<endl;
		cout<<"-----------------------------------------------------------------------"<<endl<<endl;


		if(argc < 2){

		  cout <<white<< endl << "Copy your PS3's Flash Dump into the program's folder,\n\n";
		  cout << "Then Drag and Drop your Dump File onto the exe to apply the Downgrade Patches.\n";
	      cout <<yellow<< endl << endl << endl << "Press any key to exit.";
		  cin.get();
	      return 0;
	  	}



	    cout <<yellow<< "Processing the file: " <<white<< endl << argv[1] << "\n\n\n";

        //WinXP current directory / Files Path Fix /////////////////////////////////
        string path = argv[0];
        //remove the executable file name from the full path to get current working directory
        path.erase(path.rfind("\\")+1, std::string::npos);

        //Change to Current working directory
        _chdir(path.c_str());
        ////////////////////////////////////////////////////////////////////////////


		FILE *ifile;
		unsigned char *buf = NULL;
		buf = (unsigned char *) malloc(1);
		int type = 0; // 0 = NOR , 1 = NOR ByteReversed , 2 = Nand Interleaved , 3 = Unknown , 4 = NOR metldr 2
		ifile = fopen( (char*) argv[1], "rb+");

		// Detect Dump type
		/////////////////////////////////////////////////////////////////////
		if (ifile != NULL) {
			fseek(ifile, 0x40220, SEEK_SET);  // read byte at 0x40220
			fread( buf, 1, 1, ifile);

			//printf("%02X",(int)buf[0]);
			if (("%02X",(int)buf[0]) == 0x61) // Nand
			{
				fseek(ifile, 0x40228, SEEK_SET);
				fread( buf, 1, 1, ifile);
				if (("%02X",(int)buf[0]) == 0x6C) // double check if Nand
				    type = 2;  // Nand
				else
					type = 3;  // Unknown
			}
			else
			{
				if (("%02X",(int)buf[0]) == 0x00) // Nor
				{
					fseek(ifile, 0x420, SEEK_SET);
					fread( buf, 1, 1, ifile);
					if (("%02X",(int)buf[0]) == 0x73) // check if ByteReversed
				    {
						fseek(ifile, 0x826, SEEK_SET);
						fread( buf, 1, 1, ifile);
						if (("%02X",(int)buf[0]) == 0x32) // check if metldr 2
								type = 4;  // Nor with metldr 2
							else
								type = 1;  // Nor ByteReversed
					}
					else
					{
						if (("%02X",(int)buf[0]) == 0x61) // check if Normal
				    	{
							fseek(ifile, 0x827, SEEK_SET);
							fread( buf, 1, 1, ifile);
							if (("%02X",(int)buf[0]) == 0x32) // check if metldr 2
								type = 4;  // Nor with metldr 2
							else
								type = 0;  // Nor Normal
						}
						else
							type = 3;  // Unknown
					}
				}
				else
					type = 3;  // Unknown
			}
		}
		/////////////////////////////////////////////////////////////////////

		cout <<yellow<< "Opening Files...\n\n";


		if (type == 0) // Normal dump = Progskeet
		{
			cout << "********************************************************\n";
			cout << "* This is a Normal NOR Dump (Progskeet/Winskeet style) *\n";
			cout << "********************************************************\n\n"<<white;

			Patch(argv[1], "Data/patch1n.bin", "Temp_1.bin", 786448, 1);
			Patch("Temp_1.bin", "Data/patch1n.bin", "NOR_patched.bin", 8126480, 2);

			//Patch("bkpps3_Temp_2.bin", "Data/patch2n.bin", "bkpps3_patched.bin", 262144, 3);
		}

		if (type == 1) // Byte-swapped dump = E3
		{
			cout << "*******************************************************\n";
			cout << "* This is a byte-reversed NOR Dump (E3 Flasher style) *\n";
			cout << "*******************************************************\n\n"<<white;

			Patch(argv[1], "Data/patch1r.bin", "Temp_1.bin", 786448, 1);
			Patch("Temp_1.bin", "Data/patch1r.bin", "bkpps3_NOR_patched.bin", 8126480, 2);
			//Patch("bkpps3_Temp_2.bin", "Data/patch2.bin", "bkpps3_patched.bin", 262144, 3);
		}

		if (type == 0 || type == 1)
		{
			cout <<yellow<< "Deleting Temp Files....\n";
			remove("Temp_1.bin");
			//remove("bkpps3_Temp_2.bin");
			cout << "Done.\n";
			cout << green << endl << endl << "Your NOR Dump was successfully patched and is ready to be flashed.";
			cout << yellow <<endl << endl << endl << "Press any key to exit.";
			cin.get();
			return(0);
		}

		if (type == 2) // Nand
		{
			cout << "*******************************************************\n";
			cout << "* This is an Interleaved NAND Dump (by FlowRebuilder) *\n";
			cout << "*******************************************************\n\n"<<white;

			Patch(argv[1], "Data/patch1n.bin", "Temp_1.bin", 786480, 1);
			Patch("Temp_1.bin", "Data/patch1n.bin", "NAND_patched.bin", 8126496, 2);
			//Patch("bkpps3_Temp_2.bin", "Data/patch2.bin", "bkpps3_patched.bin", 262144, 3);

			cout <<yellow<< "Deleting Temp Files....\n";
			remove("Temp_1.bin");
			//remove("bkpps3_Temp_2.bin");
			cout << "Done.\n";
			cout << green << endl << endl << "Your NAND Dump was successfully patched and is ready to be re-scrambled"<<endl<<"then de-interleaved into 2 flashes using latest version of FlowRebuilder.";
			cout << yellow <<endl << endl << endl << "Press any key to exit.";
			cin.get();
			return(0);
		}

		if (type == 3) // Unknown
		{
			cout <<red<< "********************************************************\n";
			cout << "* This is an Unknown Flash Type or a Bad File Detected *\n";
			cout << "********************************************************\n\n\n"<<white;

			cout << "The Program will exit now, check your Flash Dump then try again...";
			cout << yellow <<endl << endl << endl << "Press any key to exit.";
			cin.get();
			return(0);
		}

		if (type == 4) // Metldr 2
		{
			cout <<red<< "***********************************************************************\n";
			cout << "* This is a NOR Dump with a Non-Downgradable Metldr revision Detected *\n";
			cout << "***********************************************************************\n\n\n"<<white;

			cout << "The Program will exit now...";
			cout << yellow <<endl << endl << endl << "Press any key to exit.";
			cin.get();
			return(0);
		}

    } // end main
    //////////////////////////////////////////////////////////////////////////////////////////////////////////////
	//////////////////////////////////////////////////////////////////////////////////////////////////////////////
	//////////////////////////////////////////////////////////////////////////////////////////////////////////////

	void Patch(char* input, char* patch, char* output, int offset, int no)
    {
    	ifstream inmain(input,ios::in|ios::binary);
		ifstream inpatch(patch,ios::in|ios::binary);
    	ofstream patched(output,ios::out|ios::binary);

		if ( inmain.is_open() )
  		{
			if (inpatch.is_open())
			{

				if (patched.is_open())
				{

					cout << "Applying Patch Number "<<no<<"...\n";

					int patchStartOffset = offset ;
    				char ioChar;
    				for (int i = 0; i < patchStartOffset; i++)
    				{
    					inmain.get(ioChar);
    					patched.put(ioChar);
    				}

					int patchLen = 0;
					while (inpatch.get(ioChar))
    				{
						patched.put(ioChar);
    					patchLen++;
					}

    				streampos mainPos = inmain.tellg();
    				mainPos += patchLen;
    				inmain.seekg(mainPos);
    				while (inmain.get(ioChar))
    				{
    					patched.put(ioChar);
    				}

					patched.close();
					inpatch.close();
					inmain.close();
				}
				else
  				{
    				cout << "Error opening output file !!\n\n";
					cout << "Please make sure you have enough free space to run the program...\n\n\n\n";
					cout << "Press any key to exit.";
					cin.get();
					exit(0);
				}
			}
			else
  			{
    			cout << "Error opening patch file !!\n\n";
				cout << "Please make sure to place the Nor Dump inside the Program's folder\n";
				cout << "before you Drag and Drop.\n\n\n\n";
				cout << "Press any key to exit.";
				cin.get();
				exit(0);
			}
		}
		else
  		{
    		cout << "Error opening input file\n";
			cout << "Press any key to exit.";
			cin.get();
			exit(0);
		}
	}

Venix Autopatcher[edit source]

Warning[edit source]

Warning
This tool is known and proven to give false positives on bad dumps that lead to permabricks.

Use this method: Validating flash dumps to make sure the dumps are in crisp condition.

You cannot recover from bad flash without proper dumps (e.g. bricking the console beyond repair).
note: there are 12½ million bits to permabrick a console

Intro[edit source]

Some portuguese dude (somehow venix name reminds me of a fake bricker CFW and highly hyped and never released manager long time ago) apparently never found wiki guides or used flowrebuilder/winskeet autopatcher or hexeditor with autopatch scripts.

Versions[edit source]

Venix Downgrade GUI v1.0.0.0\Venix Downgrade.exe
 SHA1:BED08FC1FEF623C08E84832DAB0DF428D3143BF5 | MD5:1215174ED33E599B7F23F345B01B6EF9 | CRC32:3339B7F8 | CRC16:3F31
   
Venix Downgrade GUI v1.0.0.1\Venix Downgrade.exe
 SHA1:06689D0ACB9072EE0D6BA6B9C7665A4C375F583A | MD5:F7FE9D028DC2DF6DD281E0AA90653DC4 | CRC32:0903470A | CRC16:013F

Tests[edit source]

Time for some tests, like I did with E3 Nor dump checker.

Quick bulletproof test[edit source]

does not test:

  • bad region - not detected, user not warned -> result = brick file
  • bad A9 wire - not detected, patch file created -> result = brick file
  • bad A10 wire - not detected, patch file created -> result = brick file
  • bad A11 wire - not detected, patch file created -> result = brick file
  • bad A12 wire - not detected, patch file created -> result = brick file
  • bad A13 wire - not detected, patch file created -> result = brick file
  • bad A14 wire - not detected, patch file created -> result = brick file
  • bad A15 wire - not detected, patch file created -> result = brick file
  • bad A16 wire - not detected, patch file created -> result = brick file
  • bad A17 wire - not detected, patch file created -> result = brick file
  • bad A18 wire - not detected, patch file created -> result = brick file
  • bad A19 wire - not detected, patch file created -> result = brick file
  • bad A20 wire - not detected, patch file created -> result = brick file
  • bad A21 wire - not detected, patch file created -> result = brick file
  • bad A22 wire - not detected, patch file created -> result = brick file
  • bad boardID - not detected, patch file created -> result = brick file
  • bad bootldr - not detected, patch file created -> result = brick file
  • bad cCSD unreferenced area - not detected, patch file created -> result = brick file
  • bad cISD unreferenced area - not detected, patch file created -> result = brick file
  • bad EID unreferenced area - not detected, patch file created -> result = brick file
  • bad header - not detected, patch file created -> result = brick file
  • bad header asecure loader - not detected, patch file created -> result = brick file
  • bad header cISD - not detected, patch file created -> result = brick file
  • bad header cvtrm - not detected, patch file created -> result = brick file
  • bad header eEID - not detected, patch file created -> result = brick file
  • bad header metldr - not detected, patch file created -> result = brick file
  • bad metldr - not detected, patch file created -> result = brick file
  • bad/missing bootldr - not detected, patch file created -> result = brick file
  • bad/missing cCSD - not detected, patch file created -> result = brick file
  • bad/missing cISD0 - not detected, patch file created -> result = brick file
  • bad/missing cISD1 - not detected, patch file created -> result = brick file
  • bad/missing cISD2 - not detected, patch file created -> result = brick file
  • bad/missing EID0 - not detected, patch file created -> result = brick file
  • bad/missing EID1 - not detected, patch file created -> result = brick file
  • bad/missing EID2 - not detected, patch file created -> result = brick file
  • bad/missing EID3 - not detected, patch file created -> result = brick file
  • bad/missing EID4 - not detected, patch file created -> result = brick file
  • bad/missing EID5 - not detected, patch file created -> result = brick file
  • bad/missing metldr - not detected, patch file created -> result = brick file
  • bad/missing PerConsoleNonce - not detected, patch file created -> result = brick file
  • bad patterned non 00's - not detected, patch file created -> result = brick file
  • bad patterned non FF's - not detected, patch file created -> result = brick file
  • bad region - not detected, patch file created -> result = brick file

partly test (if user flashes that, it will permabrick):

  • bad A0 wire - detected, 00 filled file created -> result = brick file
  • bad A1 wire - detected, 00 filled file created -> result = brick file
  • bad A2 wire - detected, 00 filled file created -> result = brick file
  • bad A3 wire - detected, 00 filled file created -> result = brick file
  • bad A4 wire - detected, 00 filled file created -> result = brick file
  • bad A5 wire - detected, 00 filled file created -> result = brick file
  • bad A6 wire - detected, 00 filled file created -> result = brick file
  • bad A7 wire - detected, 00 filled file created -> result = brick file
  • bad A8 wire - detected, 00 filled file created -> result = brick file
  • bad header IFI - detected, patch file created -> result = brick file

does test:

  • circulair reference - errors out: "The process cannot access the file '\nor-validationtest\venix.bin' because it is being used by another process." -> result = OK

Conclusion[edit source]

Conclusion : USELESS, brickdumps will still show as 'valid' and corrupt patch files will be generated, not preventing the user from permabricking.

Recomendation[edit source]

Recommendation: Validate flash dumps first and use Flowrebuilder or Winskeet with autopatcher instead.

Newssites that news'ed the 'tool'[edit source]

Newssite that refused to news it[edit source]

Patches contained inside binairy[edit source]

trvk_prg[edit source]

1[edit source]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00701BB0                                   00 00 00 00 00             .....
00701BC0  00 00 00 00 00 00 00 00 00 02 E0 53 43 45 00 00  ..........àSCE..
00701BD0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00701BE0  00 02 00 00 00 00 00 00 00 00 E0 11 07 9A A0 E5  ..........à..š å
00701BF0  A2 D4 48 DE 06 9C E7 E3 74 A8 67 33 E5 95 F4 56  ¢ÔHÞ.œçãt¨g3å•ôV
00701C00  F4 DC E3 9B 64 56 A1 0C 11 98 79                 ôÜã›dV¡..˜y
...
2[edit source]

(same as 1)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00702BA0                                   00 00 00 00 00             .....
00702BB0  00 00 00 00 00 00 00 00 00 02 E0 53 43 45 00 00  ..........àSCE..
00702BC0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00702BD0  00 02 00 00 00 00 00 00 00 00 E0 11 07 9A A0 E5  ..........à..š å
00702BE0  A2 D4 48 DE 06 9C E7 E3 74 A8 67 33 E5 95 F4 56  ¢ÔHÞ.œçãt¨g3å•ôV
00702BF0  F4 DC E3 9B 64 56 A1 0C 11 98 79                 ôÜã›dV¡..˜y
...
3[edit source]

(same as 1)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01545B90                                            00 00                ..
01545BA0  00 00 00 00 00 00 00 00 00 00 00 00 00 02 E0 53  ..............àS
01545BB0  43 45 00 00 00 00 02 00 00 00 02 00 00 00 00 00  CE..............
01545BC0  00 00 00 00 00 02 00 00 00 00 00 00 00 00 E0 11  ..............à.
01545BD0  07 9A A0 E5 A2 D4 48 DE 06 9C E7 E3 74 A8 67 33  .š å¢ÔHÞ.œçãt¨g3
01545BE0  E5 95 F4 56 F4 DC E3 9B 64 56 A1 0C 11 98 79     å•ôVôÜã›dV¡..˜y
...

trvk_pkg[edit source]

4[edit source]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00703BB0                                   00 00 00 00 00             .....
00703BC0  00 00 00 00 00 00 00 00 00 02 60 53 43 45 00 00  ..........`SCE..
00703BD0  00 00 02 00 00 00 02 00 00 00 00 00 00 00 00 00  ................
00703BE0  00 02 00 00 00 00 00 00 00 00 60 BD 25 0F C3 46  ..........`½%.ÃF
00703BF0  1C ED 7C A9 0D 0B 63 31 C5 10 FD 5C A0 CA 58 D3  .í|©..c1Å.ý\ ÊXÓ
00703C00  F1 A9 DB B7 03 C5 94 66 83 C1 96                 ñ©Û·.Å”fƒÁ–
...
5[edit source]

(same as 1)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01505B80                 00 00 00 00 00 00 00 00 00 00 00       ...........
01505B90  00 00 00 02 60 53 43 45 00 00 00 00 02 00 00 00  ....`SCE........
01505BA0  02 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00  ................
01505BB0  00 00 00 00 60 BD 25 0F C3 46 1C ED 7C A9 0D 0B  ....`½%.ÃF.í|©..
01505BC0  63 31 C5 10 FD 5C A0 CA 58 D3 F1 A9 DB B7 03 C5  c1Å.ý\ ÊXÓñ©Û·.Å
01505BD0  94 66 83 C1 96                                   ”fƒÁ–
...
6[edit source]

(same as 4)

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
01525B90        00 00 00 00 00 00 00 00 00 00 00 00 00 00    ..............
01525BA0  02 60 53 43 45 00 00 00 00 02 00 00 00 02 00 00  .`SCE...........
01525BB0  00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00  ................
01525BC0  00 60 BD 25 0F C3 46 1C ED 7C A9 0D 0B 63 31 C5  .`½%.ÃF.í|©..c1Å
01525BD0  10 FD 5C A0 CA 58 D3 F1 A9 DB B7 03 C5 94 66 83  .ý\ ÊXÓñ©Û·.Å”fƒ
01525BE0  C1 96                                            Á–
...

ros[edit source]

7[edit source]
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001BA0                    00 00 00 01 00 00 00 18 00 00        ..........
00001BB0  00 00 00 6F FF E0 00 00 00 00 00 00 04 90 00 00  ...oÿà..........
00001BC0  00 00 00 00 42 98 61 69 6D 5F 73 70 75 5F 6D 6F  ....B˜aim_spu_mo
00001BD0  64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00 00 00  dule.self.......
00001BE0  00 00 00 00 00 00 00 00 00 00 00 00 47 30 00 00  ............G0..
00001BF0  00 00 00 01 F6 D8 61 70 70 6C 64 72 00 00 00 00  ....öØappldr....
00001C00  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
8[edit source]
(same as 7)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00705BA0                                   00 00 00 01 00             .....
00705BB0  00 00 18 00 00 00 00 00 6F FF E0 00 00 00 00 00  ........oÿà.....
00705BC0  00 04 90 00 00 00 00 00 00 42 98 61 69 6D 5F 73  .........B˜aim_s
00705BD0  70 75 5F 6D 6F 64 75 6C 65 2E 73 65 6C 66 00 00  pu_module.self..
00705BE0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00705BF0  00 47 30 00 00 00 00 00 01 F6 D8 61 70 70 6C 64  .G0......öØappld
00705C00  72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  r...............
9[edit source]
(same as 7)
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00E05B90                          00 00 00 01 00 00 00 18          ........
00E05BA0  00 00 00 00 00 6F FF E0 00 00 00 00 00 00 04 90  .....oÿà........
00E05BB0  00 00 00 00 00 00 42 98 61 69 6D 5F 73 70 75 5F  ......B˜aim_spu_
00E05BC0  6D 6F 64 75 6C 65 2E 73 65 6C 66 00 00 00 00 00  module.self.....
00E05BD0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 47 30  ..............G0
00E05BE0  00 00 00 00 00 01 F6 D8 61 70 70 6C 64 72 00 00  ......öØappldr..
00E05BF0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

Note[edit source]

wiki v2 downgrader contains 2 patchsets, used on 3 offsets. Having 9 sounds like a bit of overkill to bloat the binairy.

Checks[edit source]

There is not much checked in the patcher: - only size is checked - and header "oÿà" (bytereversed, like with progskeet, teensy etc) versus "àÿo" (as E3).

10[edit source]

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
00001A30  0A 4E 00 61 00 6E 00 64 00 31 00 00 00 00 00 18  .N.a.n.d.1......
00001A40  4E 00 61 00 6E 00 64 00 31 00 52 00 65 00 70 00  N.a.n.d.1.R.e.p.
00001A50  65 00 61 00 74 00 31 00 E5 FF 6F 00 14 4E 00 61  e.a.t.1.åÿo..N.a
00001A60  00 6E 00 64 00 31 00 53 00 74 00 61 00 72 00 74  .n.d.1.S.t.a.r.t
00001A70  00 ED FF 6F 00 0A 4E 00 61 00 6E 00 64 00 32 00  .íÿo..N.a.n.d.2.
00001A80  F5 FF 6F 00 14 4E 00 61 00 6E 00 64 00 32 00 53  õÿo..N.a.n.d.2.S
00001A90  00 74 00 61 00 72 00 74 00 FA 3F 70 00 12 4E 00  .t.a.r.t.ú?p..N.
00001AA0  61 00 6E 00 64 00 43 00 6F 00 75 00 6E 00 74 00  a.n.d.C.o.u.n.t.
00001AB0  02 40 70 00 08 4E 00 6F 00 72 00 31 00 05 40 70  [email protected]..@p
00001AC0  00 12 4E 00 6F 00 72 00 31 00 53 00 74 00 61 00  ..N.o.r.1.S.t.a.
00001AD0  72 00 74 00 EA 3F E0 00 08 4E 00 6F 00 72 00 32  r.t.ê?à..N.o.r.2
00001AE0  00 F2 3F E0 00 12 4E 00 6F 00 72 00 32 00 53 00  .ò?à..N.o.r.2.S.
00001AF0  74 00 61 00 72 00 74 00 D7 3F 50 01 08 4E 00 6F  t.a.r.t.×?P..N.o
00001B00  00 72 00 33 00 DF 3F 50 01 12 4E 00 6F 00 72 00  .r.3.ß?P..N.o.r.
00001B10  33 00 53 00 74 00 61 00 72 00 74 00 E4 3F 52 01  3.S.t.a.r.t.ä?R.
00001B20  08 4E 00 6F 00 72 00 34 00 EC 3F 52 01 12 4E 00  .N.o.r.4.ì?R..N.
00001B30  6F 00 72 00 34 00 53 00 74 00 61 00 72 00 74 00  o.r.4.S.t.a.r.t.
00001B40  F1 3F 54 01 08 4E 00 6F 00 72 00 35 00 F9 3F 54  ñ?T..N.o.r.5.ù?T
00001B50  01 12 4E 00 6F 00 72 00 35 00 53 00 74 00 61 00  ..N.o.r.5.S.t.a.
00001B60  72 00 74 00 FE 3F 56 01 08 4E 00 6F 00 72 00 36  r.t.þ?V..N.o.r.6
00001B70  00 06 40 56 01 12 4E 00 6F 00 72 00 36 00 53 00  [email protected].
00001B80  74 00 61 00 72 00 74 00 0B 40 58 01 10 4E 00 6F  [email protected]
00001B90  00 72 00 43 00 6F 00 75 00 6E 00 74 00 13 40 58  .r.C.o.u.n.t..@X
00001BA0  01 20 E0 FF 6F 00 00 00 00 01 00 00 00 18 00 00  . àÿo...........
00001BB0  00 00 00 6F FF E0 00 00 00 00 00 00 04 90 00 00  ...oÿà..........

Thus it fails miserably in the comparison of Flowrebuilder' options like un/rescramble + de-/interleave, bytereverse, unpacking and autopatching, while checking and informing the user about possible errors in the dump.


Venix Downgrade GUI v1.2 BETA[edit source]

http://psx-scene.com/forums/content/venix-downgrade-gui-v1-2-beta-improved-validation-2135/

Quick bulletproof test[edit source]

wrongly detected:

  • bad A0 wire -> Validation Failed00 byte count
  • bad A1 wire -> Validation Failed00 byte count
  • bad A2 wire -> Validation Failed00 byte count
  • bad A3 wire -> Validation Failed00 byte count
  • bad A4 wire -> Validation Failed00 byte count
  • bad A5 wire -> Validation Failed00 byte count
  • bad A6 wire -> Validation Failed00 byte count
  • bad A7 wire -> Validation Failed00 byte count
  • bad A8 wire -> Validation Failed00 byte count
  • bad A9 wire -> Validation Failed00 byte count
  • bad A10 wire -> Validation Failed00 byte count
  • bad A11 wire -> Validation Failed00 byte count
  • bad A12 wire -> Validation Failed00 byte count
  • bad A13 wire -> Validation Failed00 byte count
  • bad A14 wire -> Validation Failed00 byte count
  • bad A15 wire -> Validation Failed00 byte count
  • bad A16 wire -> Validation Failed00 byte count
  • bad A17 wire -> Validation Failed00 byte count
  • bad A18 wire -> Validation Failedff byte count
  • bad A19 wire -> Validation Failed00 byte count
  • bad A20 wire -> Validation Failed00 byte count
  • bad A21 wire -> Validation Failed00 byte count
  • bad A22 wire -> Validation Failedff byte count
  • bad bootldr -> Validation Failed00 byte count
  • bad bootldr -> Validation Failed00 byte count
  • bad cCSD unreferenced area -> Validation Failed00 byte count
  • bad cISD unreferenced area -> Validation Failed00 byte count
  • bad EID unreferenced area -> Validation Failed00 byte count
  • bad header -> Validation Failed00 byte count
  • bad header asecure loader -> Validation Failed00 byte count
  • bad header cISD -> Validation Failed00 byte count
  • bad header cvtrm -> Validation Failed00 byte count
  • bad header eEID -> Validation Failed00 byte count
  • bad IFI -> Validation Failed00 byte count
  • bad header trvk -> Validation Failed00 byte count
  • bad metldr -> Validation Failed00 byte count
  • bad/missing bootldr -> Validation Failedff byte count
  • bad/missing cCSD -> Validation Failed00 byte count
  • bad/missing cISD0 -> Validation Failed00 byte count
  • bad/missing cISD1 -> Validation Failed00 byte count
  • bad/missing cISD2 -> Validation Failed00 byte count
  • bad/missing EID0 -> Validation Failed00 byte count
  • bad/missing EID1 -> Validation Failed00 byte count
  • bad/missing EID2 -> Validation Failed00 byte count
  • bad/missing EID3 -> Validation Failed00 byte count
  • bad/missing EID4 -> Validation Failed00 byte count
  • bad/missing EID5 -> Validation Failed00 byte count
  • bad/missing metldr -> Validation Failed00 byte count
  • bad/missing PerConsoleNonce -> Validation Failed00 byte count
  • bad patterned non 00's -> Validation Failed00 byte count
  • bad patterned non FF's -> Validation Failed00 byte count
  • bad region -> Validation Failed00 byte count
  • bad filelength -> application hangs
  • known good reference dumps (184) -> Validation Failed00 byte count

Conclusion[edit source]

USELESS, 100% valid files will be failing 00/ff check. Improper files will be failing 00/ff check too, and no detection of the root of the cause. Nothing was patched and gives the user a permanent false sense of having bad dumps without leads of what to solve.